def extract_lzma(buf, fname, res_dir):
b = Buffer(buf)
stream_prop = b.GetByte()
dico_size = b.GetDword()
final_length = b.GetQword()
new_head = struct.pack("<B", stream_prop) + struct.pack("<I", dico_size)
open(res_dir + fname, "wb").write(pylzma.decompress_compat(new_head + buf[13:]))
def decompress(f, rename_to=None):
"""
Decompress a compressed file by the extension.
Only supports .7z and .zip files.
:type f: str
:param f: Full path to file
"""
f_types = ['.7z', '.zip']
fn, ext = os.path.splitext(f)
if ext not in f_types:
raise ValueError("f extension must be one of %s" % f_types)
fn = fn if rename_to is None else rename_to
if ext == f_types[0]:
with open(f, "rb") as fl:
cdata = fl.read()
with open(fn, 'wb') as fl:
# pylint: disable=E1101
fl.write(pylzma.decompress_compat(cdata[0:5] + cdata[13:]))
elif ext == f_types[1]:
with zipf.ZipFile(f) as z:
p = os.path.dirname(f)
z.extractall(p)
fn = z.namelist()
fn = [os.path.join(p, i) for i in fn]
if len(fn) == 1: fn = fn[0]
return fn
def test_compression_decompression_noeos(self):
# call compression and decompression on random data of various sizes
for i in range(18):
size = 1 << i
original = generate_random(size)
result = pylzma.decompress_compat(pylzma.compress(original, eos=0))[:size]
self.assertEqual(md5(original).hexdigest(), md5(result).hexdigest())
def test_compression_decompression_noeos(self):
# call compression and decompression on random data of various sizes
for i in range(18):
size = 1 << i
original = generate_random(size)
result = pylzma.decompress_compat(pylzma.compress(original, eos=0))[:size]
self.assertEqual(md5(original).hexdigest(), md5(result).hexdigest())
def decompress(f, rename_to=None):
"""
Decompress a compressed file by the extension.
Only supports .7z and .zip files.
:type f: str
:param f: Full path to file
"""
f_types = ['.7z', '.zip']
fn, ext = os.path.splitext(f)
if ext not in f_types:
raise ValueError("f extension must be one of %s" % f_types)
fn = fn if rename_to is None else rename_to
if ext == f_types[0]:
with open(f, "rb") as fl: cdata = fl.read()
with open(fn, 'wb') as fl:
# pylint: disable=E1101
fl.write(pylzma.decompress_compat(cdata[0:5] + cdata[13:]))
elif ext == f_types[1]:
with zipf.ZipFile(f) as z:
p = os.path.dirname(f)
z.extractall(p)
fn = z.namelist()
fn = [os.path.join(p, i) for i in fn]
if len(fn) == 1: fn = fn[0]
return fn
def extract_lzma(buf, fname, res_dir):
b = Buffer(buf)
stream_prop = b.GetByte()
dico_size = b.GetDword()
final_length = b.GetQword()
new_head = struct.pack("<B", stream_prop) + struct.pack("<I", dico_size)
open(res_dir + fname,
"wb").write(pylzma.decompress_compat(new_head + buf[13:]))
def ParseFile(data, name):
rule = yara.compile("rules.yr")
matches = rule.match(data=data)
if len(matches) > 0:
for hit in matches['main']:
print name, hit['rule']
if data[:3] == 'CWS':
#print "Zlib Compressed"
try:
new = 'FWS' + data[3:8] + zlib.decompress(data[8:])
except:
print "zlib error "
return
ParseFile(new, name)
elif data[:3] == 'ZWS':
#print "lzma compressed"
try:
new = 'FWS' + data[3:8] + pylzma.decompress_compat(data[12:])
except:
print "pylzma error "
return
ParseFile(new, name)
elif data[:3] == "GET":
# Angler
search = re.search(
r'(GET /.{1,25}/index.php\?PHPSESSID=.{1,6}&action=.{12}.{1,512})\r\n\r\n',
data, re.S)
if search:
print "Angler GET", name
print search.group(1)
search = re.search(
r'(GET .{0,100}/.{1,25}/viewtopic.php\?t=.{1,6}&f=.{12}.{1,512})\r\n\r\n',
data, re.S)
if search:
print "Angler GET", name
print search.group(1)
search = re.search(
r'(GET .{0,100}/.{1,25}/viewforum.php\?f=.{1,6}&sid=.{12}.{1,512})\r\n\r\n',
data, re.S)
if search:
print "Angler GET", name
print search.group(1)
search = re.search(
r'(GET .{0,100}/.{1,25}/search.php\?keywords=.{1,6}&fid0=.{12}.{1,512})\r\n\r\n',
data, re.S)
if search:
print "Angler GET", name
print search.group(1)
search = re.search(
r'(GET .{0,100}/topic/[0-9]{4,12}(-[a-z]{3,20}){3,10}/ HTTP.{1,512})\r\n\r\n',
data, re.S)
if search:
print "Angler GET", name
print search.group(1)
# RIG
search = re.search(
r'(GET .{0,100}/\?[a-zA-Z0-9]{15}=[a-zA-Z0-9_-]{100,200} HTTP.{1,512})\r\n\r\n',
data, re.S)
if search:
print "RIG GET", name
print search.group(1)
# Eltest Gate
search = re.search(
r'(GET /[a-z0-9\-]{80,150}/[a-z]{1,20}\.html HTTP.{1,512})\r\n\r\n',
data, re.S)
if search:
print "EItest GET", name
print search.group(1)
# Magnitude
search = re.search(
r'(GET .{0,100}/\?[a-z0-9]{38} HTTP.{1,512})\r\n\r\n', data, re.S)
if search:
print "Magnitude GET", name
print search.group(1)
# Neutrino
search = re.search(
r'(GET.{1,512}Media Center PC 6\.0; rv.{1,100})\r\n\r\n', data,
re.S)
if search:
print "Neutrino GET", name
print search.group(1)
else:
# AfraidGate
search = re.search(
r'^(document\.write\(.{200,400}i\'\+\'frame.{5,20}\))', data, re.S)
if search:
print "AfraidGate", name
print search.group(1)
# Pseudo Darkleech
search = re.search(
r'(<span id=\".{1,20} style=\"display:none\">).{3000,10000}</span>',
data, re.S)
if search:
print "Psuedo Darkleech", name
print search.group(1)
def test_decompression_noeos(self):
# test decompression without the end of stream marker
decompressed = pylzma.decompress_compat(self.plain_without_eos)
self.assertEqual(decompressed, self.plain)
def test_decompression_noeos(self):
# test decompression without the end of stream marker
decompressed = pylzma.decompress_compat(self.plain_without_eos)
self.assertEqual(decompressed, self.plain)
